What's new

New RT-AC86U online, need advice on setting up SSHD

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

OK. So in the Yandex example any DNS query that isn't destined for Yandex's IPv6 DNS servers is dropped, presumably making the client retry using IPv4 and intercepted by those rules.

So we want it to do the same thing for all IPv6 DNS queries, not just Yandex. But it doesn't seem to be creating the rules properly.

So after setting the Global Filter Mode to Router you need to add the missing rules:

Code:
ip6tables -t mangle -N DNSFILTERF
ip6tables -t mangle -N DNSFILTERI
ip6tables -t mangle -A INPUT -i br0 -p udp -m udp --dport 53 -j DNSFILTERI
ip6tables -t mangle -A INPUT -i br0 -p tcp -m tcp --dport 53 -j DNSFILTERI
ip6tables -t mangle -A FORWARD -i br0 -p udp -m udp --dport 53 -j DNSFILTERF
ip6tables -t mangle -A FORWARD -i br0 -p tcp -m tcp --dport 53 -j DNSFILTERF
ip6tables -t mangle -A DNSFILTERI -j DROP
ip6tables -t mangle -A DNSFILTERF -j DROP

Try putting that in firewall-start and seeing what the end result looks like.

EDIT: We might end up with some duplicated rules in certain circumstances but hopefully that won't cause a problem.
 
Last edited:
We have achieved success. It is now working exactly as I had hoped. Thank you for the solution.
 
We have achieved success. It is now working exactly as I had hoped. Thank you for the solution.
That's good news. You might want to test various combinations, like adding exceptions to the Global Filter Mode in case the order the rules are added causes problems.

At the end of the day it's a nasty hack that shouldn't be necessary. From what you posted it looks like there are some rules being created but they're not being applied properly. It looks like a bug IMHO that @RMerlin needs to cast his eye over.

:)
 
Last edited:
Thanks @ColinTaylor and @RMerlin for the assistance. I've expanded the rules to handle port 853 as well, now.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top